India Fights Against Malware Targeting Power SupplyRecorded Future Says China-Sponsored Groups Involved
State-sponsored groups in China appear to be targeting India’s power supply by dropping malware into systems, according to online digital threat analysis company Recorded Future.
On Monday, the Indian government issued a statement saying it took steps to mitigate risks posed by the ShadowPad backdoor malware that the hackers are using.
Although the Indian government acknowledged that various power grid systems across the country were targeted in a cyber sabotage attempt, it did not confirm whether a massive power outage in Mumbai last October was a result of a malware attack.
“There was a clear and consistent pattern of Indian organizations being targeted in this campaign through the behavioral profiling of network traffic to adversary infrastructure,” Recorded Future says.
In November 2020, CERT-In, the Indian Computer Emergency Response Team, detected ShadowPad and alerted the national grid operator's regional units, the Times of India reports.
When contacted by Information Security Media Group, Dr. Sanjay Bahl, director general of CERT-In, declined to comment.
India’s Information Sharing and Analysis Center, which provides a central resource for gathering information on cyberthreats, also declined to comment.
Mumbai Attack Attribution
“There is a high degree of confidence and general agreement on the fact that various power grid systems were targeted by the Chinese malware. However, there is no conclusive evidence on whether or not the Mumbai power outage was a result of this attack,” says Jiten Jain, CEO at the Indian Infosec Consortium, a not-for-profit group of information security researchers.
Hackers targeted 21 IP addresses linked to 12 Indian organizations in the power generation and transmission sector, according to the Recorded Future report.
“It is extremely tough to prevent such attacks as there are multiple ways malware can be inserted, irrespective of whether a system is air-gapped or not,” says C.N. Shashidhar, CEO of SecuriT Consultancy Services LLP, a security consultancy. “What matters is how quickly one can recover from such attacks. Response time needs to be minimal."
Recorded Future states that since early 2020, it has seen a large increase in suspected Chinese targeted intrusion activity against Indian organizations.
"From mid-2020 onwards, Recorded Future’s midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control servers, to target a large swathe of India’s power sector. AXIOMATICASYMPTOTE servers are being used by a China-linked activity group tracked as RedEcho," the company notes.
Shomiron Dasgupta, a cybersecurity expert who is the founder of Netmonastery, says the involvement of China in the Mumbai blackout cannot be ruled out.
"China building its cyber arsenal is a fact known to many and for far too long by people who are and were able to initiate change. It's time we acknowledge that the next war is not going to be a howitzer-backed one, but cyberwar, a reality that can inflict heavy casualty without a bullet being fired," Dasgupta says. "If there is any truth to the statements put out by Recorded Future, it is a national embarrassment."
Recorded Future’s analysis suggests the China/India territorial dispute flare-up - the Galwan clash of June 2020 - likely resulted in hostilities moving online.
After the CERT-In alert in November 2020, the National Critical Information Infrastructure Protection Center, or NCIIPC, warned the Indian government about Red Echo, a Chinese state-sponsored group, trying to break into the grid control systems.
The Recorded Future report states that the IPs in the ShadowPad and Red Echo campaigns match. All the IPs listed by the NCIIPC were blocked and additional security controls were added.
On Feb. 20, 2021, the ethical hacking group Sakura Samurai warned NCIIPC that critical, unpatched vulnerabilities could enable hackers to access sensitive data.
Sakura Samurai alleged that NCIIPC was not meeting its obligations to protect the private data of citizens as well as its employees. NCIIPC is India's federal agency responsible for safeguarding the country's critical infrastructure (see: Indian Critical Infrastructure Protection Center Vulnerable).
Tracking Hacker Campaigns
Recorded Future notes that a subset of the Red Echo servers were configured with domains spoofing various Indian power generation and electricity transmission entities.
"We were able to determine a clear and consistent pattern of Indian organizations being targeted in this campaign through the behavioral profiling of network traffic to adversary infrastructure," Recorded Future reports. "Much of the observed network activity inbound to the AXIOMATICASYMPTOTE infrastructure was over SSL via TCP port 443."
An even larger proportion of the Red Echo-targeted Indian IP addresses were observed communicating with two AXIOMATICASYMPTOTE servers hosting a large number of DDNS domains, the security firm states.
Recorded Future further notes that Red Echo operational infrastructure is associated with the Chinese domain and infrastructure reseller cndns[.]com and the AXIOMATICASYMPTOTE infrastructure hosted on HKBN Enterprise Solutions HK Limited (AS9381) and EHOSTICT (AS45382).
On Monday, Chinese foreign ministry spokesperson Wang Wenbin said it was “highly irresponsible” to make hacking accusations without enough evidence. “China firmly opposes and cracks down on all forms of cyberattacks," Wenbin said. "Speculation and fabrication have no role to play on the issue of cyberattacks, as it is very difficult to trace the origin of a cyberattack.”
Dasgupta, the cybersecurity expert, notes: "The threat is not just from China or Pakistan alone. It could be from North Korea or as a matter of fact, from any state or nonstate actor. This intent is to destabilize the country."
ShadowPad, a modular backdoor, was first identified in the NetSarang compromise in 2017, an intrusion later attributed by FireEye to APT41, a Chinese cyberthreat group.
"While ShadowPad was initially considered exclusive to APT41, additional China-nexus groups began using ShadowPad in network intrusion campaigns from late 2019," FireEye said. "We assess that the sharing of ShadowPad is prevalent across groups affiliated with both Chinese Ministry of State Security and groups affiliated with the People’s Liberation Army, and is likely linked to the presence of a centralized ShadowPad developer or quartermaster responsible for maintaining and updating the tool."
FireEye claimed that at least five Chinese threat activity groups are using ShadowPad, including APT41, Tonto Team and groups using the Icefog malware, KeyBoy and Tick. ShadowPad is the latest example of Chinese hacker groups sharing malware for use in cyberespionage activity.
Other Hacking Incidents
In recent months, Indian federal agencies have been targeted by hackers.
In September 2020, security firm Seqrite Cyber Intelligence Lab uncovered a suspected Pakistani campaign that targeted India’s defense forces, including individual soldiers, with phishing emails and malware designed to steal data (see: Hackers Target India's Military).
In July, the security firm Malwarebytes found a Chinese APT campaign hitting victims in India amid ongoing border tensions between the two countries (see: China-Backed APT Group Reportedly Targets India, Hong Kong ).